The court case that could sink safe harbor

The next defining blow to data transfers between the United States and the European Union could be a transatlantic own goal.

The 2nd U.S. Circuit Court of Appeals in New York will decide within months whether the U.S. government can force Microsoft to hand over emails stored on a server in Ireland in a drug-trafficking investigation.

The case highlights tensions between the U.S. and EU over protecting personal data and the powers of law enforcement. That friction has escalated since October 6, when the European Court of Justice struck down the 15-year-old “safe harbor” agreement that gave companies a legal mechanism to transfer data across the Atlantic.

The two sides are racing to renegotiate the safe harbor pact by the end of January, but the impending appellate court decision — and what it could say about data protection standards in the U.S. — weighs heavily.

“An adverse ruling could have an impact on the current safe harbor discussions by exposing a gap in U.S. legal protections,” John Frank, Microsoft’s vice president for EU government affairs, said in an interview. The key question: “Whether the U.S. government can reach into a European data center to obtain the personal communications of EU citizens without paying any attention to EU law.”

In late 2013, the U.S. Department of Justice (DOJ) served Microsoft with a criminal search warrant under the Stored Communications Act, seeking all content associated with a specific email account held on the company’s servers in Dublin.

Microsoft refused, arguing that the DOJ should make its request to Irish authorities under the Mutual Legal Assistance Treaty (MLAT), adopted by the countries in 2001 to facilitate transfers of evidence in criminal investigations.

The DOJ claimed it didn’t need to go through MLAT because Microsoft is a U.S.-based company, owns the emails and can transfer them from Ireland with a few clicks.

Microsoft maintains the emails belong to the user.

“When a person stores his or her most personal information in the cloud, it should be entitled to the same protection as the same information stored on paper in a desk drawer, or in a sealed letter, or on the hard drive of a computer,” Frank said.

Balkanization of data

The U.S. disagrees, and timing may be a factor. Requests under MLAT often take six months to a year to process.

Two judges have already sided with the DOJ, but the tech giant continues to appeal and said it will raise it to the U.S. Supreme Court, if necessary.

Experts on both sides of the Atlantic are concerned a ruling in favor of the DOJ would add weight to the argument that Europeans’ data is not safe in the U.S. and endanger the replacement mechanism for safe harbor currently in the works. The ECJ struck down the original safe harbor agreement because it believed the U.S. did not provide adequate data protection for EU citizens’ personal information.

The Republic of Ireland, member of European Parliament Jan Albrecht, 28 technology and media companies, 23 trade associations and advocacy organizations and 35 computer scientists have filed briefs with the court in support of Microsoft.

“We’re obviously an interested onlooker,” said Mark MacGann, Uber’s head of European affairs. Uber is concerned about the precedent set by the courts siding with the DOJ. “We certainly hope the court does the sensible thing here. As a company that is responsible for protecting masses of user and driver data, we are looking at the case extremely carefully.”

“This isn’t just about companies doing what they should, but about governments doing so” — James Waterworth, CCIA.

Microsoft is concerned that by pursuing the emails directly, the DOJ has endangered data flows between the U.S. and the EU.

“Respect for the integrity of a sovereign state’s legal process is what guides the mutual legal assistance treaty process. Without this respect, a further Balkanization of data will result,” said Michael Zweiback, a former chief of the cyber crime prosecutions section in the U.S. Attorney’s Office in Los Angeles and now a lawyer with Arent Fox.

“The greater the DOJ presses this issue, the harder the EU will strive to implement rules to repatriate data from abroad and impose stiff penalties upon any company which allows the [DOJ] access,” he added.

The stakes are high for companies on both sides of the Atlantic.

“This isn’t just about companies doing what they should, but about governments doing so. It’s about passing the right rules and obeying those rules. We need to ensure governments do what’s expected of them, not just ask companies to be piggy in the middle,” said James Waterworth, vice president for Europe for the Computer and Communications Industry Association, of which Microsoft is a member.

Should Microsoft lose, it will be in the unenviable position of choosing to comply with a U.S. court order or breaching EU laws.

“If the U.S. government can unilaterally obtain information stored in European data centers, it will undercut European privacy protections and encourage countries around the world to claim similar powers to access information stored in other countries without respecting local law,” Microsoft’s Frank said.

EU privacy proponents are equally concerned.

“What we are now doing is saying ‘Yeah we have rules, but they’re not working out, so we’ll just go around them,'” said Albrecht, a Greens MEP and the vice-chair of Parliament’s civil liberties committee. “What we should be doing is improving MLAT cooperation.”